From d4a8fac6cd05a7fa784566bdb7a97665fdfcfb2e Mon Sep 17 00:00:00 2001
From: Astro <astro@spaceboyz.net>
Date: Fri, 18 Nov 2016 02:34:03 +0100
Subject: [PATCH] lxc-containers: limits n caps

---
 salt/lxc-containers/config | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/salt/lxc-containers/config b/salt/lxc-containers/config
index 5d6f593..625add4 100644
--- a/salt/lxc-containers/config
+++ b/salt/lxc-containers/config
@@ -1,3 +1,6 @@
+# For lxcfs and sane defaults
+lxc.include = /usr/share/lxc/config/common.conf
+
 lxc.utsname = {{ id }}
 # Handled by lxc@.service
 lxc.start.auto = 0
@@ -33,8 +36,12 @@ lxc.network.ipv4.gateway={{ pillar['hosts-inet'][net][gw] }}
 #lxc.network.ipv6.gateway=fe80::1
 {%- endfor %}
 
-## TODO: limits + caps
-## TODO: include Debian.common.conf
+
+lxc.cap.drop = sys_module sys_time sys_nice sys_pacct sys_rawio sys_time
+
+lxc.cgroup.memory.limit_in_bytes = 512M
+lxc.cgroup.memory.kmem.tcp.limit_in_bytes = 128M
+
 
 # tuntap
 lxc.cgroup.devices.allow = c 10:200 rw